Day2 2021年7月15日(木) 15:00～16:00(1時間00分)
As the use of online services has increased in recent years, the number of phishing attempts targeting their users also has been increasing. In particular, since last year, there has been a sharp increase in the number of “spoofing” phishing e-mails that use the real domain or e-mail address of the service. Of course, these e-mails can be identified if we have installed DMARC, the outgoing domain authentication technology. However, the use of DMARC is not yet widespread enough in the environment of services and users in Japan.
In order to protect consumers from this situation, in December 2020, the Consumer Affairs Committee of the Cabinet Office submitted its “Opinion on Addressing the Phishing Problem”. In response to this, businesses that have been affected by phishing and spoofed e-mails are moving to introduce DMARC.
In this session, we would like to show examples of sophisticated phishing and the effects of introducing outgoing domain authentication technology, and discuss measures for full-scale introduction in Japan with participants.
The session will also cover common misconfigurations, such as cases where outbound domain authentication was thought to be supported but in fact did not work, and share information on precautions for correct configuration and related technologies such as BIMI, which can visually display the destination.
Is it beneficial to Japanese network operators from a technical/operational perspective?
Only operators can protect users and organizations with technologies such as outgoing domain authentication.
A reduction in the flow of fraudulent e-mails would be beneficial to the operators as it would reduce the waste and load of various resources.
Are the discussion points clear?
Compared to foreign services, domestic services do not have sufficient DMARC support. Since there is a possibility that domestic services will become less competitive or become a hotbed of fraudulent e-mails in the future, we would like to have a discussion on how to promote DMARC
Can we expect to gain new findings through the presentation/discussion?
Sending domain authentication can only be effective if it is supported on both the sending and receiving sides. I would like to make a presentation that will serve as a bridge between organizations and services in various fields so that they can smoothly respond to the common goal of reducing the damage caused by phishing (spoofing) e-mails.
Shuji Sakuraba(JPAAWG / Internet Initiative Japan Inc.)
Nobuyo Hiratsuka(Council of Anti-Phishing Japan / JPCERT/CC)